I’m Indrajith AN, a 25 years old security enthusiast from Bangalore, India. I’m working as a senior application security engineer in one of the Big4 Consulting/Auditing firms. I’m also Bug Hunting on Yogosha.
4 years ago, I started to learn security by myself. I was intrigued by hacker crews and their tactics of compromising systems, so I decided to start a career in security : it took me more than a year to become a Bug hunter. I participated in many VRP’s (Vulnerability reward programs) and received rewards and acknowledgments from 70+ companies/Internet leaders such as Google, Microsoft, Apple, Oracle…
In 2018, I have also published some CVE’s coordinating with Cisco Product Security & Incident respond team:
I used to spend most of my time on IRC Channels and forums to learn new techniques and to follow some G33ks. I had the chance to meet some highly skilled hackers such as Intrud3r-Fr33k or Shad0wSpawn3r. Intrud3r-Fr33k used to pawn my system by throwing RAT’s and formatted my entire 500 GB data; he taught me a lot, which is why I chose IntruderX as my alias.
I found my first vulnerability by pawning a company’s website with an SQL injection. I gained access to the database with credit cards infos. Even though the company didn’t have a responsible disclosure & reward program, they sent me a hoodie – a certificate that you can wear at all times 🙂
A few weeks later, I was working on one of the Top10 antivirus solution in the world, and I managed to dump millions of users’ license keys with an SQL injection. I reported it to the company’s CISO, who sent me some swags and a certificate.
When I receive an invite, I usually start with the active & passive recons. Then I pick up the Access Controls, IDORS (simple but tragic), thinking that the other hunters might focus on XSS/CSRF. And obviously, business logic vulnerabilities are at the top of my checklist.
My favorite program was “Try breaking into our signup page”, a program I did while Bug Hunting on Yogosha.
I submitted 6 high findings and 2 medium ones ; The application developer who was handling the program was very reactive, and he fixed the vulnerabilities within 2 days.
report on Yogosha's platform - intruderx
I love the knowledge I can get from each program, by understanding different business logics & backend technologies. And obviously, I enjoy the reward and recognition from companies I help.
Thinking you can build a 100% safe application is a myth. Even with the best developers working for you, your application is still likely to have vulnerabilities. When companies rely on a crowdsourced community, they have more skilled people looking into their system than they could ever hire. It can also save them money, since they only pay the ones who find flaws. Breaches are expensive to recover from, way more expensive than money invested in bounties.
I believe Bug Bounty will become complementary to Modern Application Testing. It’s the best way for companies to know about their vulnerabilities before they become embarrassing new stories. Consumers will rely on a safer internet, and independent security experts will be fairly compensated for their efforts.
A lot of things! I met wonderful people worldwide, increased my network in our InfoSec community, conducted trainings & workshops in colleges. Last but not least, I became an application security engineer in one of the big4 auditing firm.
I’d like to become a Red Team security engineer and I have already started preparing for it. To know more about a Red Teamer’s skills, do not hesitate to watch this video of a power company in the Midwest, who hired a group of elite red team engineer to test its defenses.
Thanks to Indrajith for this interview ! You can join Yogosha‘s private community by filling this form. You will receive an email from us when we release a new challenge, and if you pass it, you will be invited to our bug bounty programs.
Find all the news and cybersecurity trends directly in your mailbox.